frp Authentication Bypass Vulnerability in HTTP Vhost Routing

An authentication bypass vulnerability has been identified in frp, a fast reverse proxy, affecting versions 0.43.0 prior to 0.68.0. The issue arises in the HTTP vhost routing path when 'routeByHTTPUser' is used for access control. In proxy-style requests, the routing logic incorrectly uses the username from 'Proxy-Authorization' to select the 'routeByHTTPUser' backend, while the access control check relies on the 'Authorization' header. This discrepancy allows an attacker to access a backend protected by 'httpUser' and 'httpPassword' by exploiting the routing logic, even with an incorrect 'Proxy-Authorization' password. The vulnerability specifically impacts deployments that use 'routeByHTTPUser' and does not affect standard HTTP proxies that do not utilize this feature.

Impact

Exploitation of this vulnerability leads to unauthorized access to a protected backend, bypassing access controls. The impact varies depending on the nature of the service behind the protected route, potentially allowing access to private application endpoints, internal administration panels, or sensitive development and operations interfaces. In certain frp deployment scenarios, this vulnerability could be exploited to create additional plugin-based proxies through the frpc admin API, potentially exposing the Docker API and enabling host-level command execution, depending on specific deployment conditions.

Reproduction

The vulnerability can be reproduced by setting up an frp server with an HTTP vhost entrypoint and configuring a proxy to use 'routeByHTTPUser' for access control. After uploading the frp server, a request can be sent through the proxy with an incorrect 'Proxy-Authorization' password, which will still grant access to the protected backend.

Remediation

Users can upgrade to frp version 0.68.1, where this vulnerability has been fixed.